Winvnc

VNC 4
Enterprise Server
User Guide
Contents Connections 15
Inputs 16
Sharing 17
Document Conventions 2 Desktop 18
Software Versions 2 Capture Method (Hooks) 19
Introduction 3 Legacy 20
What are VNC Server and Viewer? 3 VNC Extended authentication 21
Getting started 3 NT Logon authentication 22
Two modes of operation 23
Installation 4 User mode 23
Making a standard installation 4 Service mode 23
Service mode registration 4 Listening viewer (server-initiated connection) 24
Access control: Allow, deny or query addresses 25
Configuration 5 Calculating a range mask for access control 26
Customising VNC Server 4 5
Ordering entries in the access control list 27
Where maximum security is required 5
Dealing with firewalls 28
Where speed is the most important factor 6
Changing VNC ports 28
Where the server is being demonstrated to a group 6
What is an IP address? 29
Using VNC Server 4 7 What is a Subnet mask? 30
Starting and stopping VNC Server 4 7 How a subnet mask actually works 30
Starting and stopping in user-mode 7 What is a port? 31
Connecting to (and from) VNC Server 4 7 VNC authentication and encryption 32
Starting and stopping in service-mode 8 Windows version support 33
Troubleshooting 34
Further information 9 Support 35
Options when installing 10 Via the web 35
VNC Server Properties 12 By post 35
Displaying VNC Server Properties 12
Security 13 Index 36
page
1 introduction installation configuration using vnc server 4 further information index
Document Conventions
Software Versions
This document covers all versions of VNC Server Enterprise Edition from version 4.1.
However, it includes features that are not available in all versions. Where the operation or
user interface of the software has changed substantially, this is marked in the text using
coloured backgrounds as follows:
The feature described was added in version 4.1.3, or has
changed substantially between versions 4.1.2 and 4.1.3.
The feature described was added in version 4.1.4, or has

changed substantially between versions 4.1.3 and 4.1.4.
page
Introduction
What are VNC Server and Viewer? Getting started
VNC offers a deceptively simple service - it allows you to view and control a remote system as This guide provides information on various aspects of installing,
though seated next to it, wherever you are. configuring and using VNC Server 4
The compact VNC Server 4 application runs on the system to be controlled. Meanwhile, con- • Installation
necting systems can either run the VNC Viewer application or, use a standard web browser to Making a standard installation • Service mode registration
download and use a Java viewer from the server system.
• Configuration
VNC adapts itself automatically and dynamically to varying conditions, including: differing Tips on customising VNC Server 4 for different situations
screen contents and network bandwidths. VNC is also platform independent and will happily
allow a Windows system to control a Linux server, or vice versa. • Using VNC Server 4
Connecting to (and from) the server
How to start and stop VNC Server 4
• Further information
NETWORK Options when installing
VNC Server Properties
NT Logon authentication
Two modes of operation: User and Service
Listening viewer
VNC breaks the Server screen image
Access control: Allow, deny or query addresses
down into constituent parts and trans- Firewalls
mits them to the Viewer. What is an IP address?
Controlling mouse movements and key What is a subnet mask?
press inputs from the Viewer are sent to What is a port?
the Server.
SERVER VIEWER Windows version support
Troubleshooting
Support
VNC Server 4 provides main two modes of operation to suit the manner in which the server
system will be used and accessed. Please see Two modes of operation for details.
Thanks to a comprehensive update VNC now also offers:
• Full user and server authentication,
• Secure link encryption,
• Server screen scaling to fit any window size.
page
Installation
Making a standard installation Service mode registration
VNC was designed from the outset to be efficient and compact in operation and such During installation, if you chose not to Register and configure VNC Server for Service-Mode
qualities also apply to its installation. VNC Server 4 is available as a self-extracting installer then VNC Server can be registered for use in Service-Mode via the Start Menu option. When
downloaded from the RealVNC website. registered, VNC Server will automatically run every time the computer is switched on, even
before any users have logged on.
To install VNC Server 4
When no longer needed as a system service, you can unregister VNC Server at any time.
1 Run the downloaded self-extracting installer and follow the on-screen prompts.
For the majority of installations it should be possible to choose all of the default options To register service mode
at almost every stage. At certain points you will be asked to enter a password and a valid 1 Click the Windows Start button. Choose All Programs (or Programs in non-XP versions).
license key. Select the RealVNC entry, then VNC Server 4 (Service-Mode) and finally select Register
Please refer to the Options when installing section for details about any part of the VNC Service.
installation procedure. VNC Server 4 service mode will be registered within Windows and a confirmation message
If you choose all of the default options, then your VNC Server 4 installation will be as should be displayed. When you next boot up the system, VNC Server 4 will automatically
follows: start as a system service. Alternatively, VNC Server can be started immediately by selecting the
‘Start VNC Service’ menu item.
• Operation mode: Service-Mode
• Configuration: VNC Authentication To unregister service mode
Encryption: Always On 1 Click the Windows Start button. Choose All Programs (or Programs in non-XP versions).
Select the RealVNC entry, then VNC Server 4 (Service-Mode) and finally select Unregister
• Connection port: 5900
VNC Service.
• Status: Running and ready to receive connections:
VNC Server 4 service mode registration will be removed and a confirmation message should
be displayed. Although VNC Server 4 will continue to operate for the moment, when you next
boot up the system, it will not automatically start. VNC Server can be stopped immediately by
selecting the ‘Stop VNC Service’ menu item (see below).
Dormant VNC Server 4 icon within the system tray - this indicates
that the server is running but not currently actively connected
To stop the VNC Server 4 immediately, either:
• Select the Stop VNC Service option within the same Start menu folder as mentioned
• File location: C:\Program Files\RealVNC\VNC4 above, or
• Right click on the VNC Server icon in the system tray to display a popup menu. Select
the Close VNC Server option.
Note that on Windows NT-based systems, to stop the VNC Server you must be logged on as
a member of the Administrators security group.
In either case, a confirmation
dialog will be displayed:
Click the Yes button to proceed.
page
Configuration
Customising VNC Server 4
VNC Server 4 operates perfectly well using its default installation options. However, by mak- Sharing tab [see Sharing for all options]
ing various changes it is possible to optimise VNC Server operation for particular situations. • If one remote user should not be observable by another, select the Never treat new connec-
The types of uses covered in this chapter are: tions as shared option.
• Where maximum security is required - see below • If the existing user should retain precedence over new users, untick the Non-shared connec-
• Where speed is the most important factor tions replace existing ones option.
• Where the server is being demonstrated to a group Connections tab [see Connections for all options]
All changes are made using the VNC Server Properties page. See Displaying VNC Server • Ports - Consider combining the main access port (Accept connections on port) and the Serve
Properties for details about how to access it. Java viewer... port to use the same number. This will mean that only one port needs to be
opened through a firewall. Combining the ports will cause each initial connection to take
Where maximum security is required up to two seconds longer to complete. See Dealing with firewalls for details.
There are numerous VNC Server 4 settings on various tabs that affect security and it is worth • Disconnect idle clients - Reduce the idle time to help ensure that abandoned connections
ensuring that they are all configured correctly when security is of particular issue. are not abused at the users system.
• Access control - Where possible define the IP addresses from which connections will be ac-
Security tab [see Security for all options]
cepted and deny access to all others. See Access control for details.
In order to create a secure server system, the most crucial settings to consider are Encryption
and Authentication. The configurations of these two settings conspire to determine the ro- • See also Listening viewer for details about how to avoid opening any new firewall ports by
bustness of your server system and its connections. using the server to initiate connections to each viewer.
• Wherever possible the Encryption setting should be set to Always On. The only real draw- Inputs tab [see Inputs for all options]
back here is that users with older legacy viewers will be unable to make a connection (the • Clipboard updates - To prevent information being removed from, or added to, the system
best remedy is to upgrade such users to VNC Viewer 4 or above). via the clipboard, untick both the Accept clipboard updates from clients and the Send clip-
• With Encryption set to Always On, you can choose to use either type of Authentication: board updates to clients options.
VNC Password or NT Logon. The latter is recommended because it uses the native Win- • Allow ... events - In situations where users need to view but not interact with the server,
dows security system and allows you to allocate different access rights to users or groups of you can untick the pointer and keyboard events options. When using NT Logon authenti-
users. Note: NT Logon Authentication cannot be used with servers on Windows 95, 98 or Me. cation, you can also untick various rights within the NT Logon configuration dialog.
• If you must support legacy users who cannot be upgraded, then you should set Encryp-
tion to Prefer On and you will need to select VNC Password Authentication. Such settings Desktop tab [see Desktop for all options]
are not ideal from a security viewpoint because legacy viewers will be authenticated using • When last client disconnects - If the system is to be locally unattended and there is a chance
only the first eight characters of a password, rather than a full length of up to 255 charac- of it being accessed by passers by, select the Lock workstation option to ensure that the
ters. Also, connecting legacy viewers cannot select encryption and will make no attempt system is not left open following a remote session.
to authenticate the server. If possible, consider redressing the balance a little using Access Legacy tab [see Legacy for all options]
Control (within the Connections tab) to restrict access to specific IP addresses. • Ensure that the Only use protocol version 3.3 option is not ticked. This option forces
• If a user will be present at the server system, you may wish to manually approve each con- the server into a compatibility mode that does not support advanced authentication or
nection. If so, tick the Prompt local user to accept connections. Exceptions may be made for encryption features.
particular privileged users by granting them the Connect without querying local user right
in the NT Logon configuration dialog.
page
Where speed is the most important factor Where the server is being demonstrated to a group
The speed of response is affected by several factors. There are a number of areas where small changes may make VNC Server 4 even more suitable
for demonstration purposes.
Security tab [see Security for all options]
• Encryption - The use of data encryption imposes small performance overheads. Where Connections tab [see Connections for all options]
the threat of data interception is not a strong issue, the Encryption option could be set to • Disconnect idle clients after - Ensure that the value set here will not affect viewers who are
Prefer Off. VNC Viewers select Let Server Choose as standard for their encryption setting, observing a server demonstration but not necessarily responding to it.
so the link will be unencrypted unless a viewer explicitly requests an encrypted session.
Inputs tab [see Inputs for all options]
Connections tab [see Connections for all options] • Accept events - Depending on the type of demonstration, it may be advantageous to pre-
• Ports - Combining the main access port (Accept connections on port) and the Serve Java vent the viewers from controlling the system. If so, untick both the Accept pointer events
viewer... port to use the same number lengthens the initial connection time by up to two from clients and the Accept keyboard events from clients options in order to retain control.
seconds. Where possible, ensure that these options are set to use different port numbers.
Sharing tab [see Sharing for all options]
Desktop tab [see Desktop for all options] • If multiple viewers must be simultaneously connected, obviously there must be some ele-
• While connected - All three of the options in this section affect response speed. All should ment of sharing. Select the Always treat new connections as shared option and, as a pre-
be ticked to reduce the information needed to be sent to the viewer. caution against certain viewer configurations, untick the Non-shared connections replace
existing ones option.
Desktop tab [see Desktop for all options]

• While connected - Deselecting all three of the options within this section can help to im-
prove performance. However, will the loss of the background pattern or wallpaper detract
from the demonstration?
Listening viewer
In addition to the above settings, a very useful feature when demonstrating is to use the
Listening viewer feature. This allows the server user to initiate connections to one or more
viewers, relieving the users of this task. To achieve this, each VNC viewer application must be
told to listen for connection attempts. See Listening viewer for more details.
page
Using VNC Server 4
In operation, VNC Server 4 remains almost unnoticed in the background, using minimal Starting and stopping VNC Server 4
system resources. Its only visibility is as an icon within the system tray (or notification area) in If VNC Server 4 has not been configured to start automatically, then you can start it, in either
the lower right corner of the Windows screen. its User or Service modes, using the Start menu.
Note: See Two modes of operation for more details about User and Service modes.
Starting and stopping in user-mode

Dormant VNC Server 4 icon within the system tray - this indicates
that the server is running but not currently actively connected To start VNC Server 4 (user-mode)
1 Click the Windows Start button and choose All Programs (or Programs in
non-XP versions).
Move the mouse cursor over the VNC Server 4 icon to discover the server’s
IP address as well as its current operation mode: Service or User
The VNC Server 4 will remain dormant until an incoming connection request is received,
whereupon it will deal with the request. In doing this, it will apply all relevant connection,
security and operation options, as determined by the settings within the VNC Server Proper-
ties dialog.
2 Select the RealVNC entry, then VNC Server 4 (User-Mode) and finally select Run VNC
Server.
Active VNC Server 4 icon within the system tray - this indicates To stop VNC Server 4
that the server is running and has at least one active connection
1 Right click on the VNC Server icon in the
system tray to display a popup menu. Select
the Close VNC Server option.
Connecting to (and from) VNC Server 4

Once running (in Service- or User- Modes) VNC Server 4 can be accessed either by VNC
Viewers or any Java-enabled web browser - see the VNC Viewer 4 user guide for full details. A confirmation dialog will be displayed:
Additionally, the server system can be made to initiate connections to VNC Viewers that have
been set to listen for such approaches - see Listening viewer (server-initiated connection) for
details.
2 Click the Yes button to proceed.
page
Starting and stopping in service-mode
To start VNC Server 4 (service-mode) To stop VNC Server 4 (service-mode)
1 Click the Windows Start button and choose All Programs (or Programs in There are two ways to stop the VNC Server 4 when running in service-mode, either:
non-XP versions). • Use the VNC Server system tray icon (as per the user-mode instructions), or
• Use the Start menu:
1 Click the Windows Start button and choose All Programs (or Programs in
non-XP versions).
2 Select the RealVNC entry, then VNC Server 4 (Service-Mode) and finally select Start VNC
Service.
2 Select the RealVNC entry, then VNC Server 4 (User-Mode) and finally select Run VNC
Server. A confirmation dialog will be displayed:
3 Click the Yes button to proceed
page
Further information
This section provides detailed information on a range of subjects related to VNC Server 4:
• Options when installing
An overview of the installation and explanation of the available options.
• VNC Server Properties
Displaying VNC Server Properties
Security • Connections • Inputs • Sharing • Desktop • Hooks • Legacy
• NT Logon authentication
• Two modes of operation
User mode • Service mode
• Listening viewer (server-initiated connection)
• Access control: Allow, deny or query addresses
Calculating a range mask for access control
Ordering the access control list entries
• Dealing with firewalls
Changing VNC ports
• What is an IP address?
• What is a subnet mask?
How a subnet mask actually works
• What is a port?
• Windows versions and limitations
• Troubleshooting
• Support
page
Options when installing
For the majority of VNC Server 4 installations, simply clicking through with the setup
screens using the Next button will be sufficient. For situations where alternative settings may
be required, this section provides an overview of the setup procedure.
To install VNC Server 4

1 Run the downloaded self-extracting installer. 7 Select Additional Tasks page: Set the required options and click the Next button:
2 When the setup program begins, click the Next button to acknowledge the welcome
screen:
Tick to create a VNC Viewer icon

on your Windows desktop.
Tick to create a VNC Viewer icon

within the Quick Launch section
adjacent to the Start button.
Tick to perform the necessary

system registration to allow VNC
Server 4 to run as a Windows
service.
Tick to automatically run VNC

Server 4 as a Windows service at
every boot-up.
Tick to configure the necessary

license key. This step needs to
be completed either now or at a
later time before operation can
take place.
8 Ready to install page: This page provides a summary of all installation options. Click the
Install button to begin creating components within the selected folder.
3 License Agreement page: Read the License Agreement page, select the I accept the agree- 9 VNC Server Properties page: If Register
ment option and click the Next button. and configure VNC Server for Service-Mode
4 Select Destination Location page: Click the Next button to accept the default VNC folder was ticked, the VNC Server Properties page
location, or use the Browse button to select an alternative location. will be displayed. You can either make any
required configuration changes now or at
5 Select components page: Both the VNC Server and VNC Viewer will be installed by de- a later time. See the Configuration section
fault. Untick options, as necessary, to prevent their installation. Click the Next button to for details. Click OK.
continue.
10 If Register and configure VNC Server for Service-Mode was ticked and an existing secure
6 Select Start Menu Folder: Click the Next button to agree RealVNC as the start menu folder key was not found then you will be
name, or use the Browse button to locate an alternative. Optionally, tick Don’t create a Start given the option of having one auto-
Menu folder to avoid adding any VNC entries to the Windows start menu. matically generated.
Click OK. A confirmation message
will be given when the key has been
generated.
continued
page
11 If VNC Authentication (the default) was
selected, and no VNC password is currently
stored, then you will be prompted to sup-
ply one, to be used to authenticate incoming
viewer connections. Enter a new password,
enter it again to confirm and click OK.
12 If Install a VNC Server licence key was ticked, and

a valid licence key is not currently installed, then
you will be prompted to supply a licence key. The
license key will have been emailed to you when you
purchased your VNC Enterprise Edition license.
Either copy and paste the supplied license key and
click OK or, if you are evaluating VNC Server 4,
click the Trial License button.
13 Information page: After installation has taken place, a list of acknowledgements and a re-
minder of the end user license agreement will be displayed. Please read through and then
click the Next button.
14 In the final page, click
the Finish button to
conclude the installa-
tion procedure.
page
VNC Server Properties Displaying VNC Server Properties
The VNC Server Properties dialog is where the key aspects of operation are configured via The VNC Server Properties dialog can be accessed either from the VNC Server 4 system tray
seven tabbed pages which are labelled as follows: icon, or from the Windows Start button.
• Security To display VNC Server Properties (via the system tray icon)
• Connections 1 In the lower right hand corner of the Windows task bar, move the mouse pointer over the
• Inputs VNC icon.
• Sharing • If no icon is visible then VNC Server 4 may not be running, see Starting VNC Server 4
for details.
• Desktop
2 Click the right mouse button to reveal a popup menu.
• Hooks
3 Use the left mouse button to select Options…
• Legacy
The VNC Server Properties window will be displayed
During installation the settings contained within this dialog are configured to meet the
with the Security tab selected.
general requirements of most common installations. However, for assistance on customising
operation for particular tasks, please see the Configuration section.
To display VNC Server Properties (via the Start menu)
1 Click the Windows Start button. Choose All Programs (or Programs in non-XP versions)
and then select the RealVNC entry.
2 Choose the Start menu sub-options that are appropriate to the VNC Server mode that will
be used, either:
• Select VNC Server 4 (Service-Mode) and then choose Configure VNC Service, or
• Select VNC Server 4 (User-Mode) and then choose Configure User-Mode Settings.
In either case the appropriate VNC Server Properties window will be displayed with the
Security tab selected.
page
Security
The security tab is concerned with two VNC Extended Authentication
important operational areas: User authenti- Starting with version 4.1.4, the standard VNC Password authentication has been superceded
cation and Encryption. by VNC Extended Authentication. This allows up to four passwords each of up to 255 charac-
ters for a standard user, an admin user, a view-only user and an input-only user. To configure
the admin, view-only and input-only passwords, click the Extended Configuration button to
Note: The authentication and encryption access the VNC Extended Authentication dialog.
settings are very closely related and the overall
effect on security is a product of both settings. NT Logon Authentication
This option (not available on Windows 95, 98 or Me installations) links into the internal
security system within Windows NT, 2003 Server and XP. The advantage of this method is
that, using the Windows user configurations, you can grant different permissions for different
No Authentication
types of users, e.g. administrators, guests, users, etc.
When selected, this option will allow viewer
[Command line equivalent: UserPasswdVerifier=NtLogon]
applications to connect with the VNC
Server without the need for username or Configure
password. This option can be useful when Click this button to gain access to the Windows permissions for VNC Server dialog. From
the server system is operating within a com- here you can select existing user groups for the server system and edit their permissions.
pletely secure environment such as a Local Allow Single Sign-On authentication
Area Network or Virtual Private Network, If single sign-on is enabled in both the VNC server and the VNC viewer, then the viewer will
to remove the requirement for authentica- initially attempt to authenticate the user using his or her login credentials. Only if this fails
tion. is the user prompted for a username and password. The advantage of single sign-on is that
[Command line equivalent: UserPasswdVerifier=None] the user does not have to re-enter his or her password. However, in an environment where
IMPORTANT: Use this option with extreme caution. Do NOT use it unless the host network is workstations are regularly left unattended and unlocked, it can introduce a security risk.
known to be completely secure. IMPORTANT: Under Windows NT 4, if single sign-on is enabled on the server, then only viewers
Note: Encryption can be used even if ‘No authentication’ is configured. running under Windows NT 4 will be able to connect using single sign-on. To connect from other
viewers you must explicitly disable single sign-on in either the server or the viewer—the viewer
VNC Password Authentication will not automatically prompt the user for a username and password in this situation. This is
When selected, this option will require any viewer application to supply a valid password before due to a limitation of Windows NT 4.
granting access to the server system. Use the adjacent Configure button to create up to four pass-
words, each of up to 255 characters. Note: If the Encryption option is not set to Always On then
legacy viewers will be required to provide only the first eight characters of any password.
[Command line equivalent: UserPasswdVerifier=VncAuth]
Configure
Click this button to create a password of up to 255 characters that you will use to access the
VNC Server. There are no imposed minimum requirements for the password, however, you
are strongly recommended to use at least six characters and to use a mixture of letters and
numerals. When VNC Server is accessed by older VNC viewers, only the first 8 characters will
of the password will be checked. It is therefore advisable to set the Encryption level to Always
On, to prevent legacy viewers connecting, for maximum security.
page
Encryption
[Command line equivalents: SecurityTypes=see {entries} below]
This option allows you to determine how encryption will be applied to user connections.
There are three choices:
Prefer Off: Creates un-encrypted links unless an incoming VNC Viewer has its settings as
‘Prefer On’ or ‘Always On’, in which case the link would be encrypted. {RA2ne,None,RA2}
Prefer On: Creates encrypted links unless an incoming VNC Viewer has its settings as ‘Prefer
Off ’, in which case the link would be un-encrypted. {RA2,RA2ne,None}
Always On: Forces all viewer connections to be encrypted. Legacy viewers cannot connect
when this setting is used. {RA2}
In addition to the SecurityTypes parameter values given above, if single sign-on is enabled,
then RA2 and RA2ne are replaced with SSPI,RA2 and SSPIne,RA2ne, respectively.
Generate Keys
Click this button to create new RSA keys that are used as the basis for link encryption. This
operation normally needs to be carried out once only during installation.
Prompt local user to accept connections

When ticked, as each VNC viewer logs in, this option will display a confirmation dialog on
the server system. The user of the server system must click to accept the dialog before the
incoming viewer application is granted access. If no response is given (by the server user)
within ten seconds, the connection is rejected. If a second viewer attempts to make access
during this time, then it will be immediately rejected.
[Command line equivalent: QueryConnect=true/false]
Only prompt when there is a user logged on

When ticked, if a local user is logged on to the server system, they will be prompted to accept
or reject incoming connections. With no local user logged on, connections are permitted as
normal, subject to the other connection criteria.
page
Connections Serving Java separately
This is useful in situations where the number of open ports needs to be minimised for
This tab determines key connection details
security. You can configure a central VNC Server to serve the Java applet to browsers, which
relating to the IP ports used, the IP addresses
(once loaded) can then contact alternative VNC Servers. Thus, only one central port at 5800
from which viewer connections will be ac-
is required, rather than one per server. The browsers used must have a Java Virtual Machine
cepted and also the idle disconnection time.
(JVM) that supports signed applets. Currently the Opera and Firefox browsers are known to
be capable, as is Internet Explorer with Sun’s JVM installed..
Access control
This area allows you to restrict access from incoming viewers according to their originat-
ing/source IP addresses. Addresses can be specifically accepted or rejected on any scale from a
Accept connections on port single address right up to small or large scale ‘subnets’ of addresses.
This option indicates the port through which
viewer clients will be served. The standard Only accept connections from the local machine
setting of 5900 is expected by VNC viewer When ticked, this option will cause the access control settings (if any) to be ignored and
applications; however, if this port clashes make the VNC Server 4 system inaccessible via all network interfaces except the local loop-
with another local network service, then it back interface.
can be changed to use any other vacant port [Command line equivalent: LocalHost=true/false]
number. Please note, however, if you alter this Access address area
number, then the viewer user(s) will need The access address area is where specific addresses or ranges of addresses are declared and set
to specify the non-standard port number as to be Allowed (denoted by a + prefix), Denied (denoted by a – prefix) or Queried (denoted by
part of the network address when logging-in a ? prefix).
– Please see VNC Viewer documentation - Making a connection for more details.
Each entry in the list comprises an action (+, -, ?), followed by an address pattern. Address
[Command line equivalent: PortNumber=(port number)]
patterns consist of an IP address or address prefix, followed by a subnet-style mask. The mask
Disconnect idle clients after (seconds) is used to determine how much of the IP address prefix must match the originating address
This option is similar to a screen-saver timeout, with the difference that when the specified of an incoming connection for the rule to apply to that connection. As standard, the list is
number of seconds has elapsed without any input from a particular viewer, the viewer’s con- empty except for a single “Allow All” entry (“+0.0.0.0/0.0.0.0”), which matches all possible IP
nection will be closed. After the set period of time has elapsed since the last user interaction, addresses of connections and Allows them. If none of the specified rules apply to an incom-
VNC Server 4 will terminate the connection in order to conserve resources. As standard this ing connection then the connection will be automatically rejected, for security.
option is set to 3600 seconds, or 1 hour. To prevent any connection timeouts, set this option Consider the following example entries:
to 0 (zero). The first entry includes access from a single specific address of
[Command line equivalent: IdleTimeout=(seconds)] 192.168.0.1
The second entry causes an access from the specific address
Serve Java viewer via HTTP on port 192.168.0.3 to be queried (the local user of the server system will need
to approve the connection within ten seconds, otherwise it is refused).
This option determines the port through which VNC Server 4 will provide the Java viewer
The third entry provides access from any machine situated in the
applet to Java-enabled browsers, when requested. As standard, the port number presented 192.168.4 subnet.
here is 100 lower than the current main port address and will change accordingly whenever The fourth entry denies access from any other IP address.
the main port is changed. If necessary, you can manually alter the Java viewer port number. Note the original ‘+’ (include all) entry has been removed.
You may wish, for example, to have the Java viewer served on the same port through which the
server accepts VNC connections in order to simplify firewall configuration (connections can Please see Ordering entries in the access control list for details about editing Access Control entries.
take up to 2 seconds longer when this is done). The Java Viewer can be disabled by unticking To exclude a particular address or range of addresses, create a Deny rule and place it before
the check box, if it is not required or if the Java Viewer is to be provided by a separate server. any Allow rules.
[Command line equivalent: HTTPPortNumber=(port number)] [Command line equivalent: Hosts=[<pattern>[,<pattern> [...]]]]
page
Inputs
This tab determines the level of control that
incoming viewer applications (clients) can
gain over the server system.
Accept pointer events from clients Send clipboard updates to clients

When ticked, the viewer user is permitted to control the server using their mouse. In com- When ticked, any data added to the clipboard of the server system will be made available
bination with the ‘Accept keyboard events from clients’ and ‘Accept clipboard updates from to the clipboard of any viewer user who is logged-in at the time. Disabling this option can
clients’ options, disabling this control is useful for making the server a ‘view only’ system. be useful in preventing private server information from being leaked via the clipboard by
[Command line equivalent: AcceptPointerEvents=true/false] untrusted viewer users.
[Command line equivalent: SendCutText=true/false]
Accept keyboard events from clients
When ticked, the viewer user is permitted to control the server using their keyboard. In Allow input events to affect the screen-saver
combination with the ‘Accept pointer events from clients’ and ‘Accept clipboard updates from When ticked, this option allows the mouse and/or keyboard activity from the incoming
clients’ options, disabling this control is useful for making the server a ‘view only’ system. viewer system to interrupt the screen-saver (if present) on the server system. This is a system
[Command line equivalent: AcceptKeyEvents=true/false] option, implemented within later Windows versions and is not available under earlier releases
(such as Windows NT).
Accept clipboard updates from clients [There is no equivalent command line option.]
When ticked, the viewer user can copy items from their system to the clipboard of the server.
In combination with the ‘Accept pointer events from clients’ and ‘Accept keyboard events Disable local inputs while server is in use
from clients’ options, disabling this control is useful for making the server a ‘view only’ system. When ticked, this option ignores any input from the server’s own locally connected keyboard
[Command line equivalent: AcceptCutText=true/false] and/or mouse while remote VNC sessions are active. Note that the desktop remains visible.
[Command line equivalent: DisableLocalInputs=true/false]
page
Sharing
The options within this tab determine exactly
how VNC Server 4 should behave when two
or more viewers are connected to the server
system.
When viewers connect, they request either
shared or non-shared connections to the
server. Such requests come into effect when
another user is also viewing the same server.
The settings within this tab determine ex-
actly how the server should respond to such
requests.
Always treat new connections as shared Use client’s preferred sharing setting
When selected, all incoming connections are treated as shared and so no existing users will be When selected, VNC Server 4 will defer to the ‘Shared connection’ setting of the second
disconnected nor will new users be turned away. incoming viewer. If the second viewer is set to share, then it will be permitted to make the
[Command line equivalent: AlwaysShared=true,NeverShared=false] connection, if not it will either be rejected or will replace the existing viewer, depending upon
the setting of the ‘Non-shared connections replace existing ones’ option..
Never treat new connections as shared [Command line equivalent: AlwaysShared=false, NeverShared=false]
When selected, all incoming connections will treated as non-shared. When a second incom-
ing connection attempt is made, it will either be rejected or the existing user will be discon- Non-shared connections replace existing ones
nected, depending upon the setting of the ‘Non-shared connections replace existing ones’ This option will determine the outcome when a connection is non-shared, either by viewer
option. choice or when the ‘Never treat new connections as shared’ option is selected. In such cases, if
[Command line equivalent: NeverShared=true, AlwaysShared=false] this option is ticked, then the existing user is disconnected. If this option is unticked, then the
new user is rejected.
[Command line equivalent: DisconnectClients=true/false]
page
Desktop
This tab provides opportunities to fine tune
performance by reducing unnecessary desk-
top effects and also allows you to determine
how the server system should be left after it
has been accessed.
While connected When last client disconnects

Remove wallpaper Do nothing
When ticked, the wallpaper image (if used) on the server system will be removed and re- When selected, there will be no change to the operation of the server once there are no more
placed with a plain background whenever a VNC viewer is connected. This option will also VNC viewers connected to it.
attempt to disable Windows Active Desktop, if it is use. This can help to reduce transmitted [Command line equivalent: DisconnectAction=None]
data and hence improve overall performance.
[Command line equivalent: RemoveWallpaper=true/false] Lock workstation
When selected, after the last VNC viewer has disconnected, the server system will be tempo-
Remove background pattern rarily locked and returned to its log-in screen. This option can help to avoid un-authorised
When ticked, the background pattern (if used) on the server system will be removed and access where the system is left unattended and other people are in its vicinity.
replaced with a plain background whenever a VNC viewer is connected. This can help to [Command line equivalent: DisconnectAction=Lock]
reduce transmitted data and hence improve overall performance.
[Command line equivalent: RemovePattern=true/false] Logoff user
When selected, after the last VNC viewer has disconnected, the current user session of the
Disable user interface effects server system will be ended and the system returned to its initial log-in screen. This option
When ticked, any visual user interface effects, such as animated drop-down boxes, will be is useful to ensure that the server system never remains logged-on after a VNC session. This
disabled whenever a VNC viewer is connected. This can help to reduce transmitted data and option can help to avoid un-authorised access where the system is left unattended and other
hence improve overall performance. people are in its vicinity.
[Command line equivalent: DisableEffects=true/false] [Command line equivalent: DisconnectAction=Logoff]
page
Capture Method (Hooks)
This tab concerns the various methods that Poll for changes to the desktop
VNC Server 4 can employ to keep track of When selected, this option polls the Windows display system for changes to the entire
changes to the desktop so that they may be desktop. This method is slower than the ‘Use VNC Hooks...’ and ‘Use VNC Mirror...’ options.
transmitted to the current VNC viewer(s). However, it can be useful in cases where the other two methods encounter timing/compat-
ibility problems or cannot track an application that interfaces directly with the graphics card,
Note: This tab is titled Hooks within VNC such as with some DirectX applications.
versions prior to v4.1. [Command line equivalent: CaptureMethod=poll]
[Command line equivalent (prior to v4.1): UseHooks=false]
Use VNC hooks to track graphical updates

When selected, this option employs the standard VNC hooks technique to monitor changes
to the local desktop. VNC hooks allow VNC Server 4 to monitor the messages sent to on-
screen windows in order to ascertain when their content may have changed. This method is
very successful; however, it can miss certain types of update or conversely can also mistakenly
report areas as having changed when in fact they have not. For these reasons, you are recom-
mended to use this method in conjunction with ‘Poll console windows for updates’ option.
[Command line equivalent: CaptureMethod==hooks]
[Command line equivalent (prior to v4.1): UseHooks=true]
Poll console windows for updates

When ticked, this option will track the visible parts of console windows and poll those areas
for changes. This option is best used in close combination with the ‘Use VNC hooks to track
graphical changes’ option because the rate of polling can be reduced, which helps to increase
performance.
[Command line equivalent: PollConsoleWindows=true/false]
Use VNC Mirror driver to track changes

When selected, this option takes advantage of a Windows facility that mirrors all primary dis-
play graphical updates to a secondary driver, such as VNC. This produces a fast and accurate
update method, however, it operates at a low system level and could encounter problems on
some systems. This option is disabled unless you have the VNC Mirror Driver installed.
[Command line equivalent: CaptureMethod=mirror]
Capture alpha-blended windows

When ticked, this option tracks newer semi-transparent windows, as well as standard win-
dows, including certain menus and tool tips. This method places higher requirements on the
server and can induce cursor flicker.
[Command line equivalent: UseCaptureBlt=true/false]
page
Legacy
This tab contains options that are useful Import VNC 3.3 Settings
when migrating from an older version of When selected, this option will attempt to overwrite the current VNC Server 4 settings with
VNC Server and where existing users are still those of a previous WinVNC 3.3 installation that was installed on the same system. The exact
using older viewers. settings that will be imported depend upon the current VNC Server 4 operation mode that
you are using:
• User-Mode VNC Server 4: Will attempt to approximate your personal VNC 3.3 settings.
• Service-Mode VNC Server 4: Will attempt to match the default settings from the local system.
VNC Server 4 will warn you when it cannot match existing settings or if they are no longer
relevant.
It is not possible to run both WinVNC 3.3 and VNC Server 4 simultaneously on the same
port. Therefore, once the settings have been imported, you must either:
• Separately uninstall the WinVNC 3.3 service, or
• Configure one of the VNC Servers to operate on a different port number – Please refer to
Changing VNC Ports for further details.
Only use protocol version 3.3

When ticked, the VNC Server 4 will restrict its operation to use only the version 3.3 protocol.
This option is only provided to allow compatibility with some poorly-behaved third-party
viewer software, which reports incorrect protocol version numbers or assumes the presence
of non-standard features.
Warning: Use this option with caution as the advanced VNC Server security features such as
encryption and NT Logon authentication must be disabled completely in order to support older
viewers.
[Command line equivalent: Protocol3.3=true/false]
page
VNC Extended authentication
Older versions of VNC support VNC Password authentication, which has a single password
to control access to the desktop. Current versions still support this method of authentication,
but it has been extended to provide four different virtual users, each with a distinct pass-
word. Access to the desktop can be granted in a more controlled way using the following user
names:
• user has default access, meaning that anyone connecting as user can view and interact
Enabling VNC Extended authentication
with the desktop using the keyboard and the mouse and can access the remote clip- To enable VNC Extended authentication, set the authentication mechanism to VNC Pass-
board. However, if the QueryConnect feature is enabled, the local user can refuse the word Authentication and then click the Configure button. This allows you to set the user
connection. If no username is specified when a connection is made, user is substituted password. To set the admin, viewonly or inputonly passwords, click the Extended Configuration
as the default. button. Select the users you want to enable and click the corresponding Set Password button
to set the password.
• admin has full access, meaning that anyone connecting as admin has all access rights
described above, but the local user cannot refuse the connection, even if the QueryCon-
nect feature is enabled.
• viewonly has permission to view the desktop, but cannot interact with it. Mouse and
keyboard input is disabled, and access to the remote clipboard is denied. As with user,
the local user can refuse the connection if QueryConnect is enabled.
• inputonly has permission to interact with the desktop, but cannot view it. Mouse and
keyboard input and access to the remote clipboard is enabled, but the VNC Viewer win-
dow will remain blank. As with user and viewonly, the local user can refuse the connec-
tion if QueryConnect is enabled. The inputonly user is included mostly for complete-
ness; in most situations it is not useful.
Each password can be up to 255 characters in length. There are no imposed minimum
requirements for the passwords, however, you are strongly recommended to use at least six
characters and to use a mixture of letters and numerals.
Legacy viewers
VNC Enterprise Edition provides support for legacy VNC viewers if VNC Extended authen-
tication is enabled. Legacy viewers do not allow a username to be entered, so they can only
authenticate as user. It is important to note that legacy viewers do not support passwords
longer than 8 characters. If the user password is longer than this, only the first 8 characters
will be checked. For maximum security, you can prevent legacy viewers from connecting by
setting the encryption level to Always On.
page
NT Logon authentication
VNC Server 4 offers the ability to authenticate users via the native security system of Win- The available access rights for users or groups via incoming VNC Viewer connections are as
dows (not 95, 98 or Me) and allows you to grant different access rights to particular users or follows:
groups. • View display contents
Two main steps need to be completed via the Security tab: Allow the remote user to see the contents of the VNC Server desktop.
• Select the NT Logon Authentication option, and • Send pointer events / Send keyboard events
• Click the Access Control button to configure suitable user/group rights. Allow the remote user to interact with applications running in the VNC Server desktop.
• Send and receive clipboard contents
To configure NT Logon user/group permissions Allow the clipboard contents to be synchronised between the viewer and server.
1 Display the Security tab within the VNC Server properties dialog.
• Default access
2 Click the Access Control button to display the permissions dialog: Allow the default level of access (View display contents, Send pointer & keyboard events,
Send and receive clipboard contents). When new access rights which are enabled by
default become available, users and groups previously configured with Default access will
automatically have access to them.
• Connect without accept/reject prompt
Allow the remote user to connect without a local user having manually accepted the
connection. This allows the QueryConnect feature to be bypassed by particular users or
groups, for emergency access to servers.
• Full access
Grant all available access rights. When new access rights become available, users with Full
access will automatically have access to them, regardless of whether they are granted by
default.
The default access rights granted to users and groups are as follows:
• Full access Members of the local Administrators group.
Members of the local or domain VNC Admins group, if available.
• Default access Members of the local or domain VNC Users group, if available.
• View display content Members of the local or domain VNC View-only group, if avail-
able.
NT Logon Session Logging

Existing user or group names are displayed within the dialog. New users or groups can be In addition to the default logging of connection attempts by VNC Server, the NtLogon
added to the list using the Add... button. The procedure for adding new users/groups is a authentication method independently logs successfully authenticated sessions. Sessions’ log
standard Windows function and is beyond the scope of this user guide. events are stored in the Application Event Log of the machine that authenticated the session.
• If a VNC session is made using local user account credentials then the session will be
logged in the host computer’s event log.
• If a VNC session is made using domain-based credentials then the session will be logged
with one of the domain’s controllers.
page
Two modes of operation
VNC Server 4 offers two levels of operation so that you can match it to suit your needs. The
two levels are: User mode and Service mode. When you install VNC Server 4, both modes will
be available and you can choose which one to use. The differences between the two modes are
as follows:
User mode
• Runs as a normal application, according to the current users’ rights on the system.
• Is not available when the user logs out or when the system is locked.
• VNC Server can be configured independently by each system user who wishes to run it.
• The NT logon authentication method is not supported in User mode under operating
systems older than Windows XP.
• Best used when:
• You are a single user who requires occasional help from a remote third party, need to
infrequently share work or need to control your system from elsewhere.
Service mode
• Is available as soon as the system has finished starting up, and continues to be available
even when you have logged out or the system is locked.
• Configured with a single set of system-wide options that apply regardless of which user (if
any) is logged in at the time.
• Best used when:
• Multiple local users of a system need to regularly offer remote access to their machine.
• The system needs to be accessed by a central administrator.
• System sharing/control is required out of hours when local users are normally logged
off.
page
Listening viewer (server-initiated connection)
In certain circumstances it can be preferable for the VNC server to initiate connections to one
or more viewers, rather than the other way round. For instance:
• Firewalls can often cause problems for incoming connections to server systems. When the
server initiates the connection to a viewer, this problem is overcome. The firewall must,
however, allow outgoing connections through port 5500. Also, if the viewer system is
behind its own firewall, then that must allow incoming connections, also at port 5500.
• Where VNC is used in a classroom or presentation environment, the tutor/presenter can
make his server initiate connections to each of the viewer systems. In this way greater
overall control is retained and this method obviates the need to provide server connection
information to each user.
To create a listening viewer connection

Two main stages need to occur:
1 Set the VNC Viewer on each user’s system to listen.
On each VNC Viewer system:
i Click the Windows Start button.
ii Choose All Programs (or Programs in non-XP versions). Select the RealVNC entry, then
VNC Viewer 4 and finally select Run Listening VNC Viewer.
(Alternatively, if starting VNC Viewer from a command line, add the switch ‘-listen’)
2 Prompt the VNC Server 4 to add a new client and enter the viewer’s IP address.
On the VNC Server 4 system:
i Right click on the VNC icon in the system tray.
ii From the popup menu, click the Add New Client option.
iii In the resulting popup dialog, enter the IP address
of the viewer system and click OK.
No username or password are required.
Providing the correct address is entered and there are
no firewall issues with the viewer system, the VNC
Viewer will display the server’s screen exactly as if it
had initiated the connection in the usual manner.
To end a listening viewer connection

Listening viewer connections can be terminated by either party, either:
• From the viewer: Close the viewer window.
• From the server: Right click on the VNC Server 4 icon in the system tray and select the
Disconnect Clients option.
page
Access control: Allow, deny or query addresses
VNC Server 4 provides the opportunity to specifically control connection requests from par-
ticular IP addresses, or ranges of addresses. For each specified IP address or range, you can:
• Allow – connection attempts from such addresses will be accepted (with the correct pass-
word, if set),
• Deny – connection attempts from such an address will be rejected immediately.
• Query – connection attempts will be announced to the local server user, who will need to
confirm acceptance (within ten seconds), otherwise the connection will be rejected.
Each entry requires an action (Allow, Deny, Query) and a pattern. Patterns consist of an IP
address or prefix, and a range mask (similar in form and function to a Subnet Mask) describ-
ing which parts of the supplied IP address must match and these are entered via the Connec-
tions tab within the VNC Server Properties dialog.
To add or edit IP address ranges

1 Display the VNC Server Properties dialog (see To display VNC Server Properties). 5 Select the Allow, Deny or Query options, as necessary.
2 Select the Connections tab Note: The order of entries within the access control list is critical to the correct operation of
3 Either add or edit an entry: VNC Server 4. See Ordering the access control list entries for details.
• Add a new entry: Click the Add button. 6 Click the OK button to add the selected address to the list within the Connections tab.
• Edit an existing entry: Highlight the entry in the Access Control list and click the Edit 7 Click the Apply button in the lower right corner of the VNC Server Properties window.
button. Note: The ‘+’ entry in the Access Control list means ‘accept all addresses’. If you wish to allow
only those addresses that you specify, then you must remove the ‘+’ from the list. You should
also add the entry -0.0.0.0/0.0.0.0 (usually at the end of the list) to ensure that no other ad-
dresses can gain access.
You can now:
• Add another address
• Use the Move Up and Move Down buttons to adjust the order
The Host IP address pattern dialog will be displayed.
• Delete an unwanted entry
4 In the edit area, enter or edit the required IP address followed by a ‘/’ and then the range
mask – see Calculating a range mask for access control for details.
Note: If you do not enter a range mask after the IP address, VNC Server 4 will assume that
you intend to define a single address and automatically insert the necessary 255.255.255.255
for you.
page
Calculating a range mask for access control
A range mask is used to define the number of IP addresses that will be given special treat- The following is a list of all valid octet numbers that can be used within a range mask. These
ment (either to be: allowed, denied or queried) when attempting to connect with the VNC values can be used at any of the four positions in the mask. However, if there is a zero at any
Server 4. The range mask operates in a similar manner to a standard subnet mask because position (in binary) of any octet, then everything to the right of that zero, must also be a zero.
it informs the system (in this case the VNC Server 4) which sections of an IP address are Mask value Binary Addresses encompassed
significant, and which are not.
255 11111111 1 address
To understand the range mask, you need to view it in binary form. Thus, a typical range mask
254 11111110 2 addresses
of 255.255.255.224 looks like this when converted to binary:
252 11111100 4 addresses
11111111.11111111.11111111.11100000
248 11111000 8 addresses
The ones indicate the parts of a corresponding IP address that will be examined, whereas the
zeroes mark the parts of the IP address that form the range and will be ignored. Hence, the 240 11110000 16 addresses
more zeroes there are (and accordingly, the fewer ones), the larger the address range that will 224 11100000 32 addresses
be encompassed. 192 11000000 64 addresses
Note: A range mask of 255.255.255.255 examines the whole of the IP address and so defines a 128 10000000 128 addresses
single location.
0 00000000 256 addresses
Consider the IP address 192.168.8.22 combined with a range mask of 255.255.255.252. Once
In reality, the range that needs to be defined may not align itself neatly with even binary
applied, the result is as follows:
boundaries. In such cases it may be necessary to use two or more entries, each with smaller
11000000.10101000.00001000.00010110 IP address (decimal equivalent: 192.168.8.22) ranges to accomplish the task accurately. For example, to allow the range 192.168.8.19 to
11111111.11111111.11111111.11111100 Range mask (decimal equivalent: 255.255.255.252) 192.168.8.37, you would need the following entries:
11000000.10101000.00001000.000101xx Result (xx values will be ignored) IP address/Range mask
+192.168.8.19/255.255.255.255 defines 1 address
11000000.10101000.00001000.00010100 lowest address in the range: 192.168.8.20
+192.168.8.20/255.255.255.252 defines 4 addresses
11000000.10101000.00001000.00010111 highest address in the range: 192.168.8.23
+192.168.8.24/255.255.255.248 defines 8 addresses
Thus, due to the two zeroes on the right hand side of the range mask, the values of the equiv-
alent bits in the IP address are ignored. This means that addresses running from 192.168.8.20 +192.168.8.32/255.255.255.252 defines 4 addresses
(where these two bits are both zero) through to 192.168.8.23 (where these two bits are both +192.168.8.36/255.255.255.254 defines 2 addresses
one) will all be treated in the same manner. This is the range that VNC Server 4 would allow,
deny or query, as instructed. General tips
• There should be no zeroes to the left of a one – while it is technically possible to mix ones
If the range mask (for the same IP address) was changed to 255.255.248.0, then the third octet
and zeroes in a mask, it produces erratic results and should be avoided.
would also be affected, as follows:
• The stated IP address for each range can be from anywhere within the range, i.e. the stated
11000000.10101000.00001000.00010110 IP address (decimal equivalent: 192.168.8.22)
IP address does not have to be the first one; it could be the last or be from the middle of
11111111.11111111.11111000.00000000 Range mask (decimal equivalent: 255.255.248.0) the range.
11000000.10101000.00001xxx.xxxxxxxx Result (xx values will be ignored)
11000000.10101000.00001000.00000000 lowest address in the range: 192.168.8.0

11000000.10101000.00001111.11111111 highest address in the range: 192.168.15.255
page
Ordering entries in the access control list
When there are multiple entries within the Access Control list, the order of those entries To adjust the order of access control list entries
becomes important due to the manner in which VNC Server 4 checks the list: 1 Display the VNC Server Properties window (see To display VNC Server Properties)
• As a new access request is received from a viewer, VNC Server 4 will compare the incoming 2 Select the Connections tab.
IP address with the Access Control list. Starting at the top of the list, it proceeds down- 3 Click the required entry in the Access Control list to highlight it.
wards until the IP address of the incoming system matches an entry.
4 As appropriate, click either the Move Up or Move Down buttons to adjust its position
• When a match is found, the action for that entry (+ Allow, – Deny or ? Query) is carried within the list.
out.
5 Click the Apply button in the lower right corner of the VNC Server Properties window.
• Checks for this IP address will then cease, regardless of other matches further down the
list. To delete an access control list entry
Therefore, it is vital to order the list correctly, particularly where an address might be cov- 1 Display the VNC Server Properties window (see To display VNC Server Properties)
ered twice, for instance: 2 Select the Connections tab.
-192.168.1.0/255.255.255.0 Deny subnet 192.168.1.* 3 Click the required entry in the Access Control list to highlight it.
+192.168.1.24/255.255.255.255 Allow host 192.168.1.24 4 Click the Remove button.
In this instance, a request to connect from a VNC viewer at 192.168.1.24 would be de- 5 Click the Apply button in the lower right corner of the VNC Server Properties window.
nied, even though it is specifically allowed in the second line in the list. This is because it
matches the criteria of the first line where the whole of the 192.168.1.* subnet is denied.
Swapping the order of the two lines would solve this particular problem.
page
Dealing with firewalls
A common cause of VNC operational failures are related to firewalls. One of the key func- Changing VNC ports
tions of a network firewall is to block the use of most port numbers by incoming network • The VNC port – Default setting: 5900 – This is the main port through which the VNC con-
traffic in order to prevent access by unauthorised or malicious users. Therefore, unless an ex- nection is channelled. This port is set as standard to 5900, which is where the VNC Viewer
ception is made for the specific ports used by VNC, any attempt to connect to a VNC Server applications will expect to find it.
situated behind a firewall will be denied. There are a number of options available to you in
• The Java Viewer port – Default setting: 5800 – This port is used to serve the Java viewer
these situations:
applet to requesting Web browsers. This port number is automatically set to be 100 less
• Adjust the firewall rules to allow incoming traffic via the ports required by VNC, i.e. Port than the main VNC port. However, you can adjust it to use any vacant port number, or
5900 and port 5800. even to use the same port as is used for VNC connections.
IMPORTANT: Firewall rule changes should be carried out only by an experienced operator.
Incorrect configuration could leave a network open to attack. The exact details for changing To change port numbers
rules alter between differing firewall types and are beyond the scope of this guide. 1 Display the VNC Server Properties window (see To display VNC Server Properties).
• Place the VNC Server system outside the firewall and use its security to allow only au- 2 Select the Connections tab.
thorised users. 3 Edit the required port number:
IMPORTANT: When placing the VNC Server externally to a firewall, i.e. with open access to Edit this value to determine the main port used for viewer
connections. Remember, if this is set to any value other
an outer network, such as the Internet, it is vital that full security features are employed, both than 5900, incoming viewers will need to specify the new
within VNC Server 4 and also for the operating system upon which the server is running. See number. See VNC Viewer documentation - Making a con-
the Configuration section more details. nection for details.
• Set VNC viewers to ‘listen’ and initiate connections from the VNC Server 4. Edit this value to select the port used to send the Java
viewer to browsers. Ensure that the check-box is also
This removes the need to make the server accessible from outside the firewall. See Listening ticked.
viewer for details.
When you change the ‘Accept connections
• Use Windows Firewall (Windows XP Service-Pack 2 and newer) on port:’ entry, the ‘Serve Java viewer via
Recent versions of Windows XP include a built-in firewall. From Service Pack 2 onwards, the HTTP on port:’ option will adjust itself to
firewall can be easily configured to allow particular applications to open whichever ports they retain the same spacing, as currently exists,
require. By adding an ‘Application Exception’ to the Windows Firewall for the VNC Server, between it and the main port number. For
both User- and Service- mode servers can be made accessible remotely without the need for instance, if the main port is changed from
port numbers to be specified explicitly. Starting with Enterprise Edition 4.1.3, the VNC server 5900 to 5950, then the Java port will ac-
is able to detect Windows Firewall and configure it automatically when the VNC Server Prop- cordingly change from 5800 to 5850.
erties dialog is dismissed. Note: To reduce the number of ports that are
open within a firewall, it is possible to set the
‘Accept connections on port:’ and ‘Serve Java
viewer via HTTP on port:’ to use the same
port number. The disadvantage of doing this
is that it will add a slight delay when con-
necting to the VNC Server 4. The perfor-
mance of VNC Server 4 will not otherwise
be affected.
4 Click the Apply button in the lower right corner of the VNC Server Properties window.
page
What is an IP address?
An IP address is a unique identity given to every device connected to a network of any size: Now, when xyz company needs to connect their many internal computers to the Internet,
from a two system link up at home, to every system on the Internet. they might only be given a single public address, say 80.42.0.252. They would then connect a
IP addresses are written as four decimal numbers separated by full stops, such as 192.168.0.4 Gateway system to the Internet and give it that unique public address. Situated on the other
This is called dotted decimal notation and is used as a means of concealing the equivalent real side of that gateway would be the company’s local network and every system in that local net-
address that is actually used by computers and networking equipment. The bare truth is that work would receive a private IP address. For small local networks, the most common private
every IP address is really a pattern of 32 ones and zeroes. address range is that which starts at 192.168.0.0.
At the inception of the Internet in the 1960s and 1970s, even by wildest estimates, no one ever Every computer in the local network (or subnet) will use their number that is unique to them
expected they would need more than the seemingly inexhaustible 4.2 billion unique address within the local network. However, the public identity for all of those local systems, as they
patterns that are afforded by 32 ones and zeroes. However, two factors conspired to prove this pass information out across the Internet, will always be that of the gateway: 80.42.0.252. It
to be wrong: Firstly, the amazing proliferation and expansion of the Internet; and secondly, is the job of the gateway to translate addresses between the local and wider networks. The
the rather inefficient way in which those addresses were originally handed out to organisa- gateway must ensure that messages and data are sent through to the correct locations without
tions and companies. The result was that by the early 1990s, it was already apparent that at the private addresses ever leaking out. Assisting with this task are the subnet mask and port
the projected growth rates, the reserve of 4.2 billion addresses would soon all be gone. numbers. In this way, there are now many systems using similar private IP addresses, how-
ever, because those numbers only ever exist in local domains, there is never any confusion.
In order to prolong the current stocks of numbers, the allocation of addresses was greatly
tightened and the idea of public and private addresses was introduced. In the opening sen- Of course, most people never see an IP address. To make network addresses even more mem-
tence here, it was stated that an IP address is a unique identity - this no longer strictly true. orable than the dotted decimal notations (which in turn are used to the hide the true binary
values), they are usually converted into named addresses. Such conversions are handled by
Of the 4.2 billion possible addresses, almost all of them are still used as unique public ad-
the Domain Name System and your browser uses it every time you visit a web site.
dresses. However, in the revised plan, three groups of addresses were held aside for use as
private addresses:
• 10.0.0.0 to 10.255.255.255
• 172.16.0.0 to 172.31.255.255
PRIVATE
• 192.168.0.0 to 192.168.255.255 IP ADDRESS:
192.168.0.2 PRIVATE
To avoid confusion, these ranges XYZ COMPANY ABC LIMITED IP ADDRESS:
GATEWAY GATEWAY 192.168.0.2
are never used as public addresses.
INTERNET
PRIVATE PUBLIC PUBLIC

IP ADDRESS: IP ADDRESS: PRIVATE
IP ADDRESS: IP ADDRESS:
192.168.0.24 80.42.0.252 82.76.2.34
192.168.0.24
No two devices on the Internet are permitted to have the same identity, how-
ever, IP addresses are running out. Hence, public and private addresses were
introduced to alleviate the problem.
XYZ COMPANY The systems in the xyz company appear to have the same private addresses as ABC LIMITED
LOCAL NETWORK those in the abc limited local network. However, there is no ambiguity because LOCAL NETWORK
to the outside world, they use the public addresses of their gateways. Their
gateways handle all of the address translation and ensure that the private
addresses never leak out onto the wider Internet.
page
What is a Subnet mask?
The very short answer is: A subnet mask helps to determine whether another device is within How a subnet mask actually works
the same part of the network or elsewhere. In the subnet mask explanation opposite, the example given is 255.255.255.0. This is a com-
For the longer answer you need to consider, in basic terms, a typical local network consisting monly used subnet mask and is useful as an example because it helps to simplify matters.
of several, or several hundred, systems connected together. Messages and data flow around However, in reality a subnet mask might look like this:
every part of the local network and are then picked up by the systems to which they are ad- 255.255.255.224
dressed. Because all this information needs to go around the whole local network, there are
This only starts to make sense when you look at the subnet mask in its binary form:
great performance (and security) advantages to splitting local networks into smaller collec-
tions of systems, which are called subnets. A key part of making different subnets cooperate 11111111.11111111.11111111.11100000
efficiently is the subnet mask that is given to every device along with their unique IP address. The portions covered from left to right by ones mark the Network ID (the location of the
A subnet mask is expressed in the same way as an IP address in that it has four decimal num- whole subnet), while the zeroes on the right show that just the last four bits of the device’s IP
bers separated by dots. A common subnet mask is 255.255.255.0 address are used as the Host ID (the device’s position within the subnet).
When System A (IP address 192.168.2.122 and subnet mask 255.255.255.0) wants to send The calculation that the devices carry out is known as a bitwise AND. Basically, when you
information to System B (IP address 192.168.2.235), it must first check whether they are both stack up the IP Address and the subnet mask (both in binary), wherever the equivalent posi-
in the same part of the network (in the same subnet). To do this System A first performs a tions in both rows have a one, the end result is one. Where either of them have a zero, the
comparison between its own IP address and its own subnet mask: result is zero. If you take the previous Device A example, but now use the new subnet mask
The parts corresponding to 255’s in the subnet mask mentioned above, the results are as follows:
192.168.128.102 System A address indicate the Network ID (which defines the identity of
11000000.10101000.10000000.01100110 IP address (decimal equivalent: 192.168.128.102)
the subnet).
The part corresponding to 0 in the mask shows the Host 11111111.11111111.11111111.11100000 Subnet mask (decimal equivalent: 255.255.255.224
255.255.255.000 Subnet mask ID (which defines a system’s position within the subnet).
Only the Network ID parts are required when determin- 11000000.10101000.10000000.01100000 Result (decimal equivalent: 192.168.128.96)
ing whether the two addresses belong to the same
192.168.128.000 Result subnet. Therefore, the Host ID portion is reduced to zero
Using this method you can see that only the last four bits are affected and this means that
because it is not needed for this calculation. any of the other IP addresses from the same subnet: 192.168.128.96 through to 192.168.2.127
would produce the same result.
The sending system then repeats the subnet mask comparison, but this time with the destina-
tion address: Using the new subnet mask on the Device B address from the previous example would pro-
duce the following result:
192.168.128.219 System B address 11000000.10101000.10000000.11011011 IP address (decimal equivalent: 192.168.128.219)
11111111.11111111.11111111.11100000 Subnet mask (decimal equivalent: 255.255.255.224
255.255.255.000 Subnet mask
11000000.10101000.10000000.11000000 Result (decimal equivalent: 192.168.128.192)
192.168.128.000 Result 192.168.128.96 = 192.168.128.192 ? 

Hence, the two devices now lie in different subnets and the information would need to travel
The results of the two subnet mask calculations can then themselves be compared: via a gateway/router.
192.168.128.0 = 192.168.128.0 ? 
• If the two results are equal, then the two addresses lie within the same subnet.
• If the two results are not equal, then the destination device is within a different subnet, in
which case, the sender will mark the information to go via the gateway system onto a dif-
ferent network or subnet.
page
What is a port?
Not to be confused with a physical port (such as a USB port or a printer port) to which you
connect devices, a Port in this context could be more accurately described as a ‘service contact
point’. It provides an indication of where to locate an appropriate known service that can deal
with the kind of data being transmitted.
Imagine the problem that exists for networking equipment. A disparate mixture of messages
and information are continually flowing from system to system, via gateways and routers, and
each needs to find the correct destination. In this process, the IP address plays a critical role
in making sure that the right items arrive at the right places, however, the unsung hero is defi-
nitely the port number. While the IP address directs the postman to the correct building, it’s
the port number that gets the package through the door of the correct apartment. Without
the port number, there would be piles of unclaimed packages filling the foyer.
Every application that sends or receives information across a network uses a port number.
In many cases they are fixed numbers that are always used by particular applications, and
because they are not often changed, they are not normally mentioned. For instance, if you
send an email (via the most common method), then your message will be marked with port
number 25. Whenever you browse the Web, the information will always be denoted with port
number 80 and VNC applications almost always send and receive using port number 5900.
The systems at the receiving end then know to route messages marked as port 25 to the email
server, port 80 to the web server, port 5900 to the VNC server and so on.
You should not normally need to change the VNC port number within VNC Server 4, how-
ever, if you do then all viewers must declare the new port number when addressing the server
system. For instance, if the port number was changed to 5950, then to reach a server at IP
address 192.168.0.2, the VNC Viewer user would need to enter:
192.168.0.2::5950
(note the double colons)
Port numbers can range from 0 to 65,535 and are generally divided into three ranges:
• 0 to 1023 are well known ports
• 1024 to 49151 are registered ports
• 49152 to 65535 are dynamic and/or private ports
A list of valid port numbers and their uses is maintained by the Internet Assigned Numbers
Authority and can be viewed at http://www.iana.org/assignments/port-numbers.
page
VNC authentication and encryption
VNC user and server authentication VNC link encryption
Open network connections pose a number of security challenges and the VNC system has Network links in general, and the Internet in particular, pose an ever present threat of system
now been updated to provide robust solutions. In addition to the possibility of attackers spoofing and eavesdropping on connections between systems. The VNC user and server
attempting to gain server access, there is also the chance that false servers can be spoofed authentication system defeats the former threat, while strong data encryption of the type
to mimic real ones and lure users into disclosing important information. To defend against used by VNC presents a significant barrier to eavesdroppers.
server attackers, VNC provides secure password protection. To defeat server spoofers, VNC When either the VNC viewer or VNC server enable encryption, both parties exchange codes
Servers are now required to prove their authenticity by providing a unique identity code be- called public keys. From that moment, all information is encrypted prior to transmission,
fore any viewer details are declared. These features are combined with the new high strength using the other party’s public key. As encrypted information is received, the receiving party
link encryption to present a sizeable barrier to attackers. then uses its matching private key to restore the sent information to its original form.
Any eavesdropper who manages to intercept the information flowing between the VNC
viewer and server (called a man-the-middle attack) will be presented with an unintelligible
mess. Even if they were able to capture the public keys, they would still be unable to decode
and make sense of the encrypted information.
Due to the calculations that must be performed to codify transmitted information, the use of
encryption does impose a slight overhead on performance, estimated to be around 10%.
page
Windows version support
Most releases of Windows are supported by VNC Server 4. Some versions, however, lack
certain functionality or cause known problems.
Older Windows versions

VNC Server 4 is not designed to operate with older versions of Windows including 3.1,
3.11, NT 3.1 or NT 3.51.
Windows 95
VNC Server 4 will operate with Windows 95 systems that have the Windows Socket 2
Update (Winsock 2.0) or higher installed – Available from Microsoft at:
http://www.microsoft.com/windows95/downloads/contents/wuadmintools/s_wunetwork-
ingtools/w95sockets2/
Due to limitations within Windows 95, it is not possible for the VNC Server settings to be
secured in the system registry.
Windows 98 / Windows Me
Under Windows 98 and Windows ME it is not possible for the VNC settings (including the
server’s password) to be properly secured in the registry - this is an intrinsic limitation of
these platforms. NT Logon authentication is not supported on these platforms. Public-key
based Server authentication and 128-bit session encryption are supported on these plat-
forms, with the caveat that server private keys cannot be secured in the registry, since they
do not support registry security.
Windows NT 4.0
VNC Server 4 will not run in Service Mode unless Windows NT Service Pack 3 or later has
been installed. VNC Server 4 can be operated in User Mode. Note that Windows NT 4.0
does not support the NT Logon authentication configuration dialog at this time.
Windows 2003 Server

VNC Server 4 is designed to be fully compatible with Windows 2003 Server.
Windows XP
VNC Server 4 is fully compatible with Windows XP, however, the Fast User Switching and
Remote Desktop features within Windows XP can cause problems due to limitations in the
Windows Service mechanism. Please avoid using these features when running VNC Server
4.
page
Troubleshooting
VNC doesn’t seem to work properly with Windows XP
VNC will work with XP provided that Fast User Switching and Remote Administration are
not used. Windows XP uses the Terminal Services system to implement Fast User Switch-
ing and Remote Administration. This is not compatible with the current release of VNC,
but will be better supported in a future release.
VNC causes my Windows NT/2000/XP machine to blue screen

Windows NT Version 4 has bugs in certain operating system interfaces which are used by
VNC. You must have service pack 3 or higher installed to avoid problems.
On Windows 2000/XP there are reports that blue screens occur as a result of having
Microsoft Hotfixes installed, with or without VNC installed.
VNC does not install any system level hooks or driver software. Consequently it cannot
cause machines to crash except by exposing bugs in the underlying operating system and
device drivers. If it appears that VNC causes your machine to crash, check that you have
the latest service packs, graphics drivers and network drivers installed for your system.
My computer uses roaming profiles, and with VNC installed the profiles
are sometimes not saved back to the server. It can take a very long time
to log out.
Versions of VNC prior to 3.3.6 have a bug that can cause this behaviour. Additionally we
have had reports Windows 2000 machines with Hotfix Q329170 installed exhibit the same
behaviour, with or without VNC installed.
page
SECTION 6
Support
If you are unable to solve your problem after checking through the Troubleshooting section in
this guide, please take a look at our on-line FAQ page and also the Known Bugs & Features sec-
tion of the RealVNC website.
If you still cannot find a solution, then please contact us for further assistance:
Via the web

The www.realvnc.com website offers a number ways to gain assistance regarding VNC products:
Search indexes
Provides an opportunity to search through the various VNC databases for solutions
www.realvnc.com/swish-e/search
Mailing lists
Real VNC provide discussion forums for important announcements and many other VNC-re-
lated subjects. You can browse or search previous discussion entries, or alternatively subscribe to
one or more forums.
www.realvnc.com/lists.html
Product support request

This section lets you to send queries directly to the VNC development team.
www.realvnc.com/cgi-bin/support.cgi
By post
RealVNC Limited
17d Sturton Street
Cambridge
CB1 2SN
Documentation by: www.ctxd.com
page
Index
A E P Starting VNC Server 7
Stopping VNC Server 8
Accept clipboard updates 16 Encryption 14, 32 Password Subnet mask
Accept keyboard events 16 setting 13 what is it? 30
Accept pointer events 16 F Poll console windows 19 Support
Access control 15, 25 FAQ 35 Port getting assistance 35
ordering entries 27 Firewalls what is it? 31 System tray icon 4, 7
range mask 26 dealing with 28 Port numbers
Allow access 25 changing 28 T
Allow input events 16 H
Attack Q Troubleshooting 34
man-in-the-middle 32 Hooks tab
settings 19 Query access 25 U
Authentication
user and server 32
I R Unregister
service mode 4
C Import VNC 3.3 Settings 20 Range mask User mode 23
Inputs tab calculating 26 Use VNC hooks 19
Capture alpha-blended windows 19 Register
Changing VNC ports 28 settings 16
Installing 4, 10 service mode 4 V
Close VNC Server 7
Configure IP address S VNC Server icon
as a service 4, 10 what is it? 29 in system tray 7
Connections tab Security VNC Server Properties
settings 15
L optimal settings 5 displaying 12
Customising Legacy tab Security tab
for security 5 settings 20 settings 13 W
for speed 6 Listening viewer 24 Send clipboard updates 16
Server’s IP address When last client disconnects 18
D While connected 18
N discovering 7
Windows
Service mode 23
Demo systems Notification area icon 7 unregister 4 versions and limitations 33
optimal settings 6 NT Logon Authentication 13 Sharing tab
Deny access 25 settings 17
Desktop tab O Speed
settings 18 optimal settings 6
Operation modes 23
Disable local inputs 16
Optimising
Disconnect idle clients 15
for demo systems 6
page

Winvnc

Enviado por

Dados do documento

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Winvnc

Enviado por

Direitos autorais:

Formatos disponíveis

VNC 4

The feature described was added in version 4.1.4, or has

Desktop tab [see Desktop for all options]

Starting and stopping in user-mode

Connecting to (and from) VNC Server 4

2 Click the Yes button to proceed.

3 Click the Yes button to proceed

To install VNC Server 4

Tick to create a VNC Viewer icon

Tick to create a VNC Viewer icon

Tick to perform the necessary

Tick to automatically run VNC

Tick to conﬁgure the necessary

12 If Install a VNC Server licence key was ticked, and

Prompt local user to accept connections

Only prompt when there is a user logged on

Accept pointer events from clients Send clipboard updates to clients

While connected When last client disconnects

Use VNC hooks to track graphical updates

Poll console windows for updates

Use VNC Mirror driver to track changes

Capture alpha-blended windows

Only use protocol version 3.3

NT Logon Session Logging

To create a listening viewer connection

To end a listening viewer connection

To add or edit IP address ranges

11000000.10101000.00001000.00000000 lowest address in the range: 192.168.8.0

PRIVATE PUBLIC PUBLIC

192.168.128.000 Result 192.168.128.96 = 192.168.128.192 ? 

Older Windows versions

Windows 2003 Server

VNC causes my Windows NT/2000/XP machine to blue screen

Via the web

Product support request

Documentation by: www.ctxd.com

Você também pode gostar